BUG-14986 Authorization Bypass via Forceful Browsing IMPROVEMENT

2014-06-20 16:08:47 -04:00
parent 542aba432f
commit 2cdd7c1a02
11 changed files with 32 additions and 0 deletions
--- a/workflow/engine/controllers/admin.php
+++ b/workflow/engine/controllers/admin.php
@@ -15,6 +15,8 @@ class Admin extends Controller

    public function system ()
    {
+        global $RBAC;
+        $RBAC->requirePermissions( 'PM_SETUP' );
        require_once PATH_CONTROLLERS . 'main.php';
        G::loadClass( 'system' );
        $skinsList = System::getSkingList();
@@ -60,6 +62,8 @@ class Admin extends Controller

    public function uxList ()
    {
+        global $RBAC;
+        $RBAC->requirePermissions( 'PM_SETUP' );
        require_once PATH_CONTROLLERS . 'adminProxy.php';
        $this->includeExtJS( 'admin/uxUsersList' );
        G::LoadClass( 'configuration' );